Notice of Data Security Incident

The privacy and security of the personal information entrusted to us is of the upmost importance to OrthoConnecticut. We are writing to provide you with information regarding a recent cybersecurity incident. As such, we wanted to provide you with information about the incident, explain the services we are making available to you, and let you know that we continue to take significant measures to protect your personal information.

OrthoConnecticut recently became aware of unauthorized access to our network environment. As soon as we became aware of the issue, we launched an investigation, contained and secured the network, eradicated the threat, and alerted law enforcement. As part of the investigation, we have been working very closely with third-party cybersecurity professionals experienced in handling these types of incidents. The investigation aimed to determine the nature and scope of the incident and whether any sensitive data, including personal and/or health information, was accessed and/or acquired by the unauthorized party.

After a thorough and detailed forensic investigation, we determined the unauthorized actor accessed our network between November 24, 2023 and November 28, 2023 and, as a result, may have accessed and removed certain files from our network environment. Upon learning this, we promptly conducted an extensive and comprehensive review of the impacted files and, on March 27, 2024, we discovered that certain files containing personal information may have been accessed and/or acquired by the unauthorized party. On May 10, 2024, additional individuals were identified as having personal information contained in the files.

The impacted data contained the personal information of certain individuals, including full names in combination with one or more of the following: Social Security number, Driver’s license/government ID number, passport number, date of birth, medical record number, medical date of service, treatment location, treatment cost, procedure type, provider name, health insurance information, health insurance policy number, health insurance information, health benefit plan name, health insurance group number, patient ID number, mental or physical condition, diagnosis, diagnosis code, prescription information, subscriber member number, billing/claim information, patient account number, financial account number, and routing number. Please note that impacted information varies by individual.

We have no evidence that any information has been misused as a direct result of this incident. Nevertheless, out of an abundance of caution, we are notifying affected individuals of the scope of the incident. This notice provides other precautionary measures individuals can take to protect their personal information, including placing a Fraud Alert and Security Freeze on your credit files and obtaining a free credit report. Additionally, impacted individuals should always remain vigilant in reviewing their credit reports on a regular basis and report any irregular activity immediately.

Please accept our apologies that this incident occurred. OrthoConnecticut remains fully committed to maintaining the privacy of personal information in its possession and has taken many precautions to safeguard it, including continually evaluating and modifying its practices and internal controls.

Individuals who think they may have been impacted and did not receive a notification letter, or have any further questions regarding this incident can call our dedicated and confidential toll-free response line that we have to set up to respond to questions at 1-844-825-0293. This response line is staffed with professionals familiar with this incident and knowledgeable on what can be done to protect personal information. The response line is available Monday through Friday, 9:00 a.m. to 9:00 p.m. Eastern Time, excluding holidays.

 

— OrthoConnecticut

 

1.         Placing a Fraud Alert on Your Credit File.

We recommend that you place an initial one-year “fraud alert” on your credit files, at no charge. A fraud alert tells creditors to contact you personally before they open any new accounts. To place a fraud alert, call any one of the three major credit bureaus at the numbers listed below. As soon as one credit bureau confirms your fraud alert, they will notify the others.

 

Equifax
P.O. Box 105069
Atlanta, GA 30348-5069
https://www.equifax.com/personal/credit-report-services/credit-fraud-alerts/
(800) 525-6285

 

Experian
P.O. Box 9554
Allen, TX 75013
https://www.experian.com/fraud/center.html
(888) 397-3742

 

TransUnion
Fraud Victim Assistance Department
P.O. Box 2000
Chester, PA 19016-2000
https://www.transunion.com/fraud-alerts
(800) 680-7289

 

2.         Placing a Security Freeze on Your Credit File.

If you are very concerned about becoming a victim of fraud or identity theft, you may request a “security freeze” be placed on your credit file, at no charge. A security freeze prohibits, with certain specific exceptions, the consumer reporting agencies from releasing your credit report or any information from it without your express authorization. You may place a security freeze on your credit report by contacting all three nationwide credit reporting companies at the numbers below and following the stated directions or by sending a request in writing, by mail, to all three credit reporting companies:

 

Equifax Security Freeze
P.O. Box 105788
Atlanta, GA 30348  
https://www.equifax.com/personal/credit-report-services/credit-freeze/
(800) 349-9960
(888) 298-0045

 

Experian Security Freeze
P.O. Box 9554;
Allen, TX 75013
http://experian.com/freeze
(888) 397-3742

 

TransUnion Security Freeze
P.O. Box 160
Woodlyn, PA 19094
https://www.transunion.com/credit-freeze
(888) 909-8872

 

In order to place the security freeze, you’ll need to supply your name, address, date of birth, Social Security number and other personal information. After receiving your freeze request, each credit reporting company will send you a confirmation letter containing a unique PIN (personal identification number) or password. Keep the PIN or password in a safe place. You will need it if you choose to lift the freeze.

 

3.         Obtaining a Free Credit Report.

Under federal law, you are entitled to one free credit report every 12 months from each of the above three major nationwide credit reporting companies. Call 1-877-322-8228 or request your free credit reports online at www.annualcreditreport.com. Once you receive your credit reports, review them for discrepancies. Identify any accounts you did not open or inquiries from creditors that you did not authorize. Verify all information is correct. If you have questions or notice incorrect information, contact the credit reporting company.

 

4.         Additional Helpful Resources.

Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Checking your credit report periodically can help you spot problems and address them quickly.

If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call your local law enforcement agency and file a police report. Be sure to obtain a copy of the police report, as many creditors will want the information it contains to absolve you of the fraudulent debts. You may also file a complaint with the FTC by contacting them on the web at www.ftc.gov/idtheft, by phone at 1-877-IDTHEFT (1-877-438-4338), or by mail at Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580. Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcement for their investigations. In addition, you may obtain information from the FTC about fraud alerts and security freezes.

If this notice letter states that your financial account information and/or credit or debit card information was impacted, we recommend that you contact your financial institution to inquire about steps to take to protect your account, including whether you should close your account or obtain a new account number.

If your personal information has been used to file a false tax return, to open an account or to attempt to open an account in your name or to commit fraud or other crimes against you, you may file a police report in the city in which you currently reside.

 

5.         Protecting Your Medical Information.

The following practices can help to protect you from medical identity theft.

• Only share your health insurance cards with your health care providers and other family members who are covered under your insurance plan or who help you with your medical care.
• Review your “explanation of benefits statement” which you receive from your health insurance company. Follow up with your insurance company or care provider for any items you do not recognize. If necessary, contact the care provider on the explanation of benefits statement and ask for copies of medical records from the date of the potential access to current date.
• Ask your insurance company for a current year-to-date report of all services paid for you as a beneficiary. Follow up with your insurance company or the care provider for any items you do not recognize.

 

New York Residents: You may obtain information about preventing identity theft from the New York Attorney General’s Office: Office of the Attorney General, The Capitol, Albany, NY 12224-0341; https://ag.ny.gov/consumer-frauds-bureau/identity-theft; Telephone: 800-771-7755.

North Carolina Residents: You may obtain information about preventing identity theft from the North Carolina Attorney General’s Office: Office of the Attorney General of North Carolina, Consumer Protection Division, 9001 Mail Service Center, Raleigh, NC 27699-9001, www.ncdoj.gov/, Telephone: 877-566-7226 (Toll-free within North Carolina), 919-716-6000.